Two separate warnings have been published warning that certain encryption protocols are obsolete and may place organizations at risk. Both the US National Security Agency (NSA) and the Dutch National Cyber Security Centre (NCSC) have warned that TLS 1.1 and, to some extent, TLS 1.2 may leave organizations open to attack. It is recommended that TLS 1.3 be used. While the NCSC believes TLS 1.2 can still be secure it is not as future-proofed against potential attacks as TLS 1.3. Both the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) protocols were developed to create secure levels of communication between client and server. The protocols are deemed secure as they rely upon cryptographic encryption and authentication to help ensure that communication between the client and server remain private. However, over the years several weaknesses have been discovered and improvements made. Sadly, the adoption of improved TLS protocols has not been universally adopted and successful attacks have been seen.
The NSA warning still regards TLS 1.2 as secure and recommends all US government agencies ensure that these protocols are in place, namely TLS 1.2 and 1.3. The agency noted,
“Sensitive and valuable data requires strong protections within electronic systems and transmissions. Protected transmissions use a private, secure channel between a server and a client to communicate. Transport Layer Security (TLS) and Secure Sockets Layer (SSL)2 were developed as protocols to create these protected channels using encryption and authentication. Over time, new attacks against TLS and the algorithms it uses have been discovered. The standards and most products have been updated, but implementations often have not kept up. Network connections employing obsolete protocols are at an elevated risk of exploitation by adversaries. As a result, all systems should avoid using obsolete configurations for TLS and SSL protocols. According to the Office of Management and Budget (OMB) memorandum M-15-13, ‘all publicly accessible federal websites and web services are required to only provide service through secure connections.’”
The statement issued by the NSA also warned that even if TLS 1.2 and 1.3 protocols are in place network administrators must ensure that strong cryptographic parameters and cipher suites are used.
In TLS 1.2 the following are considered weak cryptographic parameters and cipher suites, NULL, RC2, RC4, DES, IDEA. While TLS 1.3 had already scraped the above-mentioned suites there are still implementations that support both 1.3 and 1.2 that can still use them. To help those tasked with defending networks the NSA has released several tools on GitHub which will assist in identifying systems on internal networks that are still using obsolete protocols and rectify the issue.
The NCSC warning in many ways mirrors the NSA’s; however, to future-proof networks the agency advises that government departments and corporate organizations begin to migrate to TLS 1.3 if they have not done so already. In a related notification the NCSC noted,
“NCSC-NL has decided to downgrade the security level of TLS 1.2 from Good to Sufficient. TLS 1.3, a considerable revision of TLS based on modern insights, remains Good. TLS 1.2 is less robust than TLS 1.3 with respect to evolving attack techniques. There are two reasons. First, various elements of TLS 1.2 were not re-used in TLS 1.3 because they were found to be weak. Second, TLS 1.3 contains less fragile configuration options than TLS 1.3. This makes TLS 1.3 simpler to configure safely. These differences make several attack classes that work against TLS 1.2 no longer applicable to TLS 1.3.”
Why all the fuss?
Over the years several weaknesses were found in TLS 1.1 which prompted an overhaul of the protocols. TLS 1.2 was released and for a time all was well. However, hackers are not known to leave things alone, and soon enough vulnerabilities were being found in the upgraded version as well. It was found that hackers could successfully conduct man-in-the-middle attacks even if TLS 1.2 had been adopted. Man-in-the-middle attacks are when an attacker intercepts communications between two parties either to secretly eavesdrop or modify traffic traveling between the two. Attackers might use this attack method to steal login credentials or personal information, spy on the victim, or sabotage communications or corrupt data. So for governments and even companies that transfer any information deemed sensitive, it is vital that the communication cannot be intercepted and decrypted.
Such an attack can be done in a variety of ways but typically involve the attacker sitting between the two communication points and either simply listening to the communication or modifying it in some way. Compromised traffic is then stripped of any encryption to either steal, change or reroute that traffic to the attacker’s destination of choice. In the past rerouting has been seen involving phishing sites or command-and-control servers belonging to the hacker. Because attackers may be silently observing or re-encrypting intercepted traffic to its intended source once recorded or edited, it can be a difficult attack to spot.
TLS 1.2 has already proved vulnerable to these attacks, and three have featured prominently over the last six years or so. The first attack deserving mention is POODLE, or to give it its full name Padding Oracle On Downgraded Legacy Encryption. The attack involves taking advantage of two design flaws, the first is how some TLS 1.2 systems will still communicate with legacy SSL protocols to help ensure compatibility across networks. The second, is a vulnerability is SSL block padding.
The details of how the attack can be done are technical and can be read up on in several reports for those interested. Suffice to say if done correctly an attacker can decipher encrypted communication blocks without needing to know what encryption method was used and by using automated tools by watching server responses can steal sensitive data like passwords.
The second attack method seen impacting TLS 1.2 is DROWN, which stands for Decrypting RSA with Obsolete and Weakened eNcryption. Such attacks again looked to exploit weaknesses in SSL 3 but only works if a server is compatible with an old version of the secure sockets layer (SSL) protocol that uses the weakened encryption algorithms. Modern versions of the protocol don’t support those algorithms, yet many servers maintain the capability of using that protocol if they are asked to.
The last attack method SLOTH, or Security Losses from Obsolete and Truncated Script, was also found to be able to target TLS 1.2 communications forced to communicate with outdated servers and technology as it supported MD5, now an obsolete authentication protocol. The name was also a jab at the slow rate at which new and better standards are adopted.
Web Browsers blocking TLS 1.0 and 1.1
In March 2020, Google, Apple, Mozilla, and Microsoft began blocking access to sites that were still using TLS 1.0 and 1.1. Sites include major banks, governments, news organizations, telecoms, e-commerce stores, and internet communities. In total it was determined over 800,000 websites were using the obsolete protocols which were created in 1996 and 2006. This number has slowly improved since then but at the time of the announcement, the tech companies mentioned above had already given website owners two years to meet the standards of at least being TLS 1.2 compliant. This was despite the fact that TLS 1.3 was already available.
If one looks at how long Flash was still supported and used despite all of its security concerns, it is little wonder that the adoption of better protocols takes so long. With regards to TLS, security professionals had already proved that even HTTPS traffic could be incepted and decrypted using obsolete protocols. One can only imagine how long it will take for TLS 1.3 to become standard despite the weaknesses of 1.2 already been proven, but this is likely only to become a thing when a new TLS protocol is released, or a better technology supplants it. The NSA’s concluding remarks may serve as a reminder to those needing one, the agency states,
“Organizations encrypt network traffic to protect data in transit. However, using obsolete TLS configurations provides a false sense of security since it looks like the data is protected, even though it really is not. Make a plan to weed out obsolete TLS configurations in the environment by detecting, remediating, and then blocking obsolete TLS versions, cipher suites, and finally key exchange methods. Prepare for cryptographic agility to always stay ahead of malicious actors’ abilities and protect important information.”